Dear patient,

we would like to provide you with some information on the EU Regulation 2016/679 of the European Parliament and Council of 27 April 2016 (“Regulation“) on data processing carried out at ISMETT – Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione (“ISMETT“). You will receive documents that concern your involvement in activities such as drug trials or generic data collection.

ISMETT is a center of excellence in the field of transplantation and highly specialized therapies, accredited by JCI (Joint Commission International), an international body that certifies excellence of health care organizations, and compliance with high standards of quality and safety recognized by the international scientific community.

ISMETT was created by a partnership between the Region of Sicily and UPMC (University of Pittsburgh Medical Center) that is based in Pittsburgh, Pennsylvania, U.S. This collaboration resulted from the need to provide state-of-the-art clinical services using the experience and know-how of UPMC and of its network of hospitals (“UPMC Group“) with which there is an ongoing exchange of information. In order to ensure a close collaboration with these top international facilities, ISMETT’s management was entrusted to UPMC Italy (“UPMCI”), the Italian subsidiary of the UPMC Group.

ISMETT will ask you or third parties (e.g., your family doctor) to provide your personal data (name, address, etc.), information on your health status (diseases, lab results, diagnostic tests, ongoing therapies) and, if required, on your sex life or social and psychological scope. Furthermore, your images may be obtained to request consults, also via telemedicine, from external experts and assess your health during treatment, if necessary. To safely verify your identity, you will be asked to wear a wristband that includes your personal information (name, surname, date of birth, patient code and visit code) by means of RFID (radio frequency identification) technology. This device associates you in a safe and reliable way with your lab tests, test tubes, blood units, and other information.

Your personal data is collected and processed so you can access clinical services (outpatient procedures, admissions, patient care, diagnosis, rehabilitation, and prevention) and to fulfill the related administrative and accounting requirements. In addition, if required, we will send you your plan of care and instructions on how to prepare for your tests. The legal basis of data processing is art. 6.1.b (“processing necessary for the performance of a contract to which the data subject is a party”) and art. 9.2.h of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to contract with a health professional”).

To this extent, your data may be shared with the following:

  • family doctors;
  • social security institutions, insurance companies covering civil liability of ISMETT towards third parties or providing ancillary clinical services to ISMETT, and professionals who may be involved in the defense of ISMETT and of its staff;
  • health system, institutions and municipalities (e.g., for verification of social services or their activation); diplomatic offices; institutions, surveillance bodies and agencies to verify the provision of patient care services (e.g. [Italian] Provincial Health Authority, a.k.a. “ASP”); certifying bodies (e.g., JCI, OHSAS, ISO) for certifications, and third parties auditing the quality and appropriateness of patient care for purposes of quality improvement;
  • public and private hospitals (for tests and exams that cannot be performed at ISMETT), the national and regional transplant centers, diseases registries, public and private research centers, and for any other legal obligation.

ISMETT is a government-approved research hospital  (“IRCCS“) that participates in multiple research projects in order to improve its levels of patient care and contribute to the general development of medical knowledge. Specifically, ISMETT carries out research activity in the following areas, for which it was acknowledged as an IRCCS (i.e., “Current Research”): transplantation and end-stage organ failure; innovative surgical and diagnostic and interventional radiology and endoscopy techniques; regenerative medicine; clinical immunology and immunotherapy; infectious diseases and molecular medicine; Information & Communication Technology applied to health care. This research activity is funded by the Italian Ministry of Health on a three-year plan basis, and is aimed at developing and enhancing medical and biomedical knowledge in the interest of public health (art. 12-Bis, legislative decree 502 of 30 December 1992).

The use of data in Current Research or research projects governed by other laws does not require patient consent as this activity is carried out in the public interest (art. 6.1.e and 9.2.j of the Regulation in connection with articles 110 and 110-bis of legislative decree 196/2003 and subsequent additions and amendments).

Your consent is required for personal data usage when conducting clinical studies not financed by the Italian Ministry of Health or not provided for by law, but conducted by ISMETT (both internally and in collaboration with other centers located inside and outside the European Union, in research areas listed at the following link Since  at this stage it is not possible to identify the clinical trials that will be initiated by ISMETT, we ask you to express your willingness to cooperate in developing scientific knowledge allowing ISMETT to store your data for this purpose. If you provide your consent, your personal data (except for genetic data) will be encoded (i.e., marked only with a code consisting of numbers and letters, and not your name), entered in a database, and stored for a maximum period of 25 years. The legal basis for this processing is therefore your consent (articles 6.1.a and 9.2.a of the Regulation). The data stored in the database will be used for future studies in an anonymous form (i.e., the identity of the patients cannot be traced). If it is not possible to anonymize the data, your specific consent will be collected (articles 6.1.a and 9.2.a of the Regulation).

These studies shall be conducted using information already collected or to be collected in the course of standard patient care, from previous studies, or from biological samples obtained for patient care and stored in the laboratories or in the biobank of ISMETT. Participating to these research projects will not interfere in any way with regular patient care and requires no additional tests or treatments for patients. These studies do not involve collecting genetic data (i.e., information relating to inherited or acquired genetic characteristics providing unique information on the physiology or health of a person).

In addition, in order to protect patient confidentiality the information, health data, and biological samples are stripped of patient identification data and marked with a code consisting of letters and numbers. The list that allows to associate this code with the patient’s personal data is in the possession exclusively of the principal investigator and filed as confidential documentation. Access to data directly ascribable to a patient will only be possible extracting data from the original clinical documentation and during potential monitoring activity (i.e., checking for correspondence of the data used for research with those contained in the medical record), or should this be necessary to update the research data. Should it be no longer necessary to trace the identity of a patient, anonymization techniques will also be applied so that data is no longer traceable to the patient. Encryption is used for data storage and transfer, preventing access by unauthorized parties. Data is stored for a period of at least seven years after the completion of the research project, or for a longer period in compliance with the applicable laws or agreements between the participating centers. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the data subjects.

A list of all ongoing studies (regularly updated) is available at ISMETT and on its official website, under the “Research” page, divided by area. Also, for Current Research and statutory studies the according information notes are also published. For further information, you may request a meeting with the principal investigators or the Data Controller – Research Office.

Please remember that you are free to provide or to deny your consent. You are entitled at any time to consent or deny the processing of your data and samples for research purposes, without prejudice to your medical care, contacting the addresses listed in the following paragraph “HOW CAN I EXERCISE MY RIGHTS?”.  In this case, the biological sample if still attributable to you will be destroyed (except for preservation for purposes of treatment only).

ISMETT is committed to monitor and assess the effectiveness of the patient care delivered, its appropriateness and quality as well as clinical risk factors beyond those provided for by law. In particular, the goal of ISMETT is to assess and compare the appropriateness, efficacy, effectiveness, and efficiency of care provided to different population groups and facilities, also with reference to specific diseases or health issues. In order to use patients’ personal data for such purposes, patients are required to provide informed consent as legal basis of data processing, art. 9.2.a of the Regulation (“the data subject has given explicit consent to the processing“). If you wish to authorize ISMETT to process your data, also collected in the past, to conduct these important tests that could provide useful information for your treatment, please give your consent by ticking the appropriate box at the end of this document. If you do not express your consent we will not be able to use the data for these tests. You will however still be entitled to receive care at ISMETT. Also, ISMETT will be involved in surveillance systems and registries collecting data on diseases and risks for the patients’ health under the current regulations. For the use of data as part of these activities it is not necessary to collect patient consent as provided for by law (art. 6.1.b of the Regulation, “processing is necessary to fulfill a legal obligation” and, as to the exemption from the prohibition of the processing of particular data, art. 9.2.i of the Regulation, “treatment necessary for the guarantee of high parameters of quality and safety relating to patient care, medicines and medical devices, required by law”).

If you sign the consent you will receive information materials on ISMETT’s projects and services, campaigns, and fund raising initiatives. For this purpose, the legal basis of the processing is represented by the consent (art. 6.1.a of the Regulation and, as regards the exemption from the prohibition of processing particular data, art. 9.2.a of the Regulation, “explicit consent of the data subject”). Your data will be stored for 24 months from the time of its collection. If you do not provide consent we will not be able to send you this information.

An electronic file, known as “dossier sanitario“, is used at ISMETT to allow clinicians to access all the clinical history of patients. This tool enables clinicians to access more complete information on patients’ health status improving treatment. It can only be activated with the patient’s consent.

Therefore, only if you give consent to the creation this electronic file (as the basis of lawfulness of processing under art. 6.1.a of the Regulation and, as regards the exemption from the prohibition of processing particular data, of the art. 9.2.a of the Regulation – “explicit consent of the data subject”), ISMETT clinicians will be able to access information relating to the treatment performed at ISMETT, also at different times. You may decide for specific information to not be included in your electronic file, asking the Director of Health Care Activities to “obscure” this information. To file a similar request contact In the same way, you may oppose at any time to adding further data to your electronic file, while still being entitled to receive care at ISMETT, as well as withdrawing your decisions at any time. You will be asked to expressly authorize the inclusion in your electronic file also of data subject to higher levels of protection of anonymity (e.g., , data relating to acts of sexual violence or pedophilia, voluntary interruption of pregnancy, HIV infections or use of narcotics, psychotropic substances and alcohol).

Should you not consent to creating your electronic file, the physicians and health care providers will only be able to access data relating to that particular treatment. Without prejudice to your freedom to provide or to deny consent to the creation of your electronic file, please be aware that having health care providers not being able to access information on specific tests or treatments may negatively affect your care, entailing a release of liability for the above mentioned clinicians.

Finally, please note your electronic file could be accessed, also without your consent, should this be deemed necessary to protect the physical safety of a third party or of the community.

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

Your personal data will be processed by the clinical and administrative staff of ISMETT and UPMCI acting on the basis of specific instructions on the purposes and methods of data processing, and obliged to comply with professional secrecy and confidentiality. For training purposes, clinical treatment may be performed in the presence of medical students. In this event, all necessary precautions shall be taken to limit any potential inconvenience, and your will to not abide by this procedure will be respected.

Your data may also be communicated, in addition to the parties listed under item 1, to third parties appointed data processors or persons authorized to data processing providing ancillary services to the activity of ISMETT, such as:

  • external consultants;
  • volunteer patient care associations;
  • hospital catering companies;
  • other subjects providing services instrumental to ISMETT’s operations.

Your data may also be disclosed to independent data controllers in fulfillment of legal obligations or for the protection of one’s rights in judgment (e.g., health service, institutions, municipalities, social security and welfare bodies, national and regional transplant center, disease registers, insurance companies).

The updated list of UPMC Group hospitals, data processors, and independent data controllers who have access to the data is available from the Data Controller – Office of the Director of Health Care Activities or the DPO, that can be reached at the addresses listed below.

Information regarding your stay at ISMETT and your health status will only be provided to your relatives and friends, without prejudice to the provisions of law.

In addition to the above, your personal data will be kept in accordance with the [Italian] Ministry of Health’s requirements pursuant to circular letter 61 of 19 December 1986. In particular, data contained in medical records and reports will be kept indefinitely, while radiology images will be stored for a period of no less than ten years. More information may be obtained contacting the Data Controller – Office of the Director of Health Care Activities or the DPO at the addresses listed below.

Articles 15 and following of the Regulation establish your right to obtain:

  • confirmation that the paper and electronic archives of ISMETT do not contain personal data that concern you, to obtain a copy on paper or electronic media, and obtain information on data processing (purposes, categories of data, recipients, period of storage etc.);
  • data correction or integration;
  • deletion of data in the event of consent withdrawal in the absence of legal basis for data processing;
  • should this satisfy the assumptions, a copy of your personal data in a structured format;

Should this satisfy the assumptions, data subjects have the right to file a complaint to the Italian Data Protection Authority (“Garante” – in its capacity of supervisory authority, in accordance with the current policies. A template of the request is available from the Italian Data Protection Authority


  • Once your electronic file is created you may:
    • revoke your consent to its creation;
    • request to obscure selected clinical events;
    • visualize the accesses that have taken place.
  • If you have provided consent to using your data for research purposes, to verify the quality and appropriateness of patient care and treatments, and to schedule clinical activity will be able to:
    • withdraw your consent to your data and sample processing at any time, and this will not affect your treatment;
    • ask to modify and integrate data: in this case the requests for modifications will be noted without modifying the data, when these operations fail to produce significant effects on the research outcome;
    • request that your data used for research purposes be transformed into anonymous form;
    • obtain information on the projects in which your data have been used, and the list of the centers involved in these projects.

The rights may be exercised contacting the Data Controller – Office of the Director of Health Care Activities at the address of the joint controllers or emailing or contacting the ISMETT DPO at: ISMETT- Data Protection Officer, 90133 Palermo, Via Discesa dei Giudici 4, or emailing

Similarly, with regard to data processed in the context of clinical studies and research, the aforementioned rights may be exercised by contacting the Data Controller – Research Office at the address of the joint controllers, or emailing .

Joint controllers are Istituto Mediterraneo per i Trapianti e Terapie ad Alta Specializzazione (ISMETT) and UPMC Italy, both headquartered in Via Discesa dei Giudici 4, 90133 Palermo, Italy.


Last updated: March 2024 (Version 4)